-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Date format problems in generated Search-UnifiedAuditLog #27
Comments
Can I also add to this too - we are seeing this issue on the latest v1.14.0 release and it is preventing us from collecting user tenant logs. However, I wonder if it is update of an associated PS module rather than Hawk itself: Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "31/10/2019" to type |
Same problem here but in Italian: [07/11/2019 11:58:37] - Searching Range 10/13/2019 00:00:00 To 10/13/2019 00:00:00
|
I have had the same issue today when running the user investigation: [19/11/2019 11:18:32 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon [19/11/2019 11:18:32 AM] - [WARNING] - Unified Audit log returned no results. |
Hi! |
Hi! To resolve the issue see the link below: |
As @sssseossss said, it looks like the start time can be cast into the correct language settings by using the information from https://blogs.technet.microsoft.com/dsheehan/2017/09/24/powershell-datetime-throws-the-error-string-was-not-recognized-as-a-valid-datetime/ I'm running some tests, but it looks like get-hawktenantauthhistory.ps1 can be fixed by updating the datetime[startdate] parameter to just $startdate and then adding the following after the try/catch statement. `# Convert date format from https://blogs.technet.microsoft.com/dsheehan/2017/09/24/powershell-datetime-throws-the-error-string-was-not-recognized-as-a-valid-datetime/ #Extract the default Date/Time formatting from the local computer's "Culture" settings, and then create the format to use when parsing the date/time information pull from AD. $CultureDateTimeFormat = (Get-Culture).DateTimeFormat $DateFormat = $CultureDateTimeFormat.ShortDatePattern $startdate = [DateTime]::ParseExact($startdate,$DateFormat,[System.Globalization.DateTimeFormatInfo]::InvariantInfo,[System.Globalization.DateTimeStyles]::None)` Unfortunately this is a bad file to test with as there are a lot of audit results coming back in 48 hours. |
That is great if you fix this, however isn't it simpler to just convert directly in global settings with this short string: |
Seems to be more complicated than that. In a machine that was US and switched to uk locale without rebooting, using the .tostring method returns 2 march 2019 00.00.00 which is incorrect (but it doesn't care about leading zeros or not). However after rebooting into a UK locale, you get an overload error:- $s=$startdate.tostring("MM.dd.yyyy") |
So i am currently trying to run this and the acceptable time format would be yyyy-MM-dd however Hawk is passing MM/dd/yyyy. This is for both the tenant investigation and the user investigation. Is there any fix for this? and `Get-Date : Cannot bind parameter 'Date'. Cannot convert value "01/20/2020 00:00:00" to type "System.DateTime". Error: "String was not recognized as a valid DateTime."
|
Why convert to the american date/time format? |
It appears there used to be a fix for something similar within Get-HawkUserMailboxAuditing.ps1. It was commented out when @Canthv0 converted $hawk to store datetime object. This is the bit that converted the date in Get-HawkUserMailboxAuditing: Could this same line be applied to At the moment, my workaround for this is manually changing the regional format settings to English (United States) before running Hawk. |
Thanks @howellzd - I found that if i change the data formats and short date to yyyy-MM-dd instead of changing my settings to US that also worked (means i don't need to change back and forth). |
Right, I see. It is annoying for people with non-US language settings if they stick with the default method of inputting the number of days of logs to pull (e.g. 90) or using "Today", they are going to face this issue. |
Yeah, I'm in Australia, i found that even if i typed in the US date format, or yyyy-mm-dd instead of the default 90 days i got the error. I have been using hawk today with just my short date set to yyyy-mm-dd without having to change any other setting to US format, so i think i can live with that. Both tenant and user investigations ran happily. |
Also over in Australia and having the same issue. Oher applications that require the shortdate to be correct break so changing that isn't ideal. |
Hi. I have the same problem :/ [16.10.2020 08:16:54] - Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Add OAuth2PermissionGrant.','Consent to application.' -StartDate '18.07.2020' -EndDate '17.10.2020' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 081654 |
The Search-UnifiedAuditLog command that gets generated seems to generate with dates and times in the local format. As a UK native our format of dd/mm/yyyy does not get accepted by that cmdlet, causing an error:
Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "19/09/2019" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String was not recognized as a valid DateTime."
The text was updated successfully, but these errors were encountered: